Using Derived Credentials for Enrollment with Enterprise Mobile Device Management Services

1. A method comprising: receiving, by a mobile computing device, a command to enroll with an enterprise mobile device management server; in response to receiving the command to enroll with the enterprise mobile device management server, launching, by the mobile computing device, an enrollment application; requesting, by the mobile computing device, using the enrollment application, configuration information for the enterprise mobile device management server from an automatic discovery service; after requesting the configuration information for the enterprise mobile device management server from the automatic discovery service, receiving, by the mobile computing device, a message comprising the configuration information for the enterprise mobile device management server from the automatic discovery service; sending, by the mobile computing device, using the enrollment application, an enrollment request message to the enterprise mobile device management server, wherein the enrollment request message comprises the configuration information for the enterprise mobile device management server received from the automatic discovery service; switching, by the mobile computing device, from the enrollment application to a certificate management system application on the mobile computing device; requesting, by the mobile computing device, using the certificate management system application, one or more derived credentials from a certificate management system server; storing, by the mobile computing device, using the certificate management system application, the one or more derived credentials in a shared vault on the mobile computing device; switching, by the mobile computing device, from the certificate management system application to the enrollment application; retrieving, by the mobile computing device, using the enrollment application, a derived credential of the one or more derived credentials stored in the shared vault on the mobile computing device; and providing, by the mobile computing device, using the enrollment application, the derived credential of the one or more derived credentials retrieved using the enrollment application to the enterprise mobile device management server to enroll the mobile computing device with at least one mobile device management service provided by the enterprise mobile device management server.

2. The method of claim 1 , further comprising: prompting, by the mobile computing device, using the enrollment application, a user of the mobile computing device, for an address of the enterprise mobile device management server.

3. The method of claim 1 , further comprising: receiving, by the mobile computing device, using the enrollment application, a password from a user of the mobile computing device; generating, by the mobile computing device, using the enrollment application, a password validation value based on the password received from the user of the mobile computing device; storing, by the mobile computing device, using the enrollment application, the password validation value in the shared vault on the mobile computing device; providing, by the mobile computing device, using the enrollment application, the password received from the user of the mobile computing device to the certificate management system application; and validating, by the mobile computing device, using the certificate management system application, the provided password to the certificate management system application based on the password validation value stored in the shared vault on the mobile computing device.

4. The method of claim 3 , further comprising: receiving, by the mobile computing device, responsive to the enrollment request message, a message from the enterprise mobile device management server comprising password complexity validation rules; and validating, by the mobile computing device, the password using the password complexity validation rules.

5. The method of claim 3 , wherein the generating the password validation value comprises: generating a hash of the password; and encrypting the hash of the password.

6. The method of claim 3 , further comprising: encrypting, by the mobile computing device, using the certificate management system application, the one or more derived credentials based on the password received from the user of the mobile computing device and provided to the certificate management system application, prior to storing the one or more derived credentials in the shared vault on the mobile computing device.

7. The method of claim 3 , further comprising: encrypting, by the mobile computing device, using the certificate management system application, the one or more derived credentials using a private/public key pair, prior to storing the one or more derived credentials in the shared vault on the mobile computing device.

8. The method of claim 1 , further comprising: prior to switching to the certificate management system application on the mobile computing device, receiving, by the mobile computing device, responsive to the enrollment request message, a message from the enterprise mobile device management server identifying the certificate management system application on the mobile computing device; and determining, by the mobile computing device, to switch to the certificate management system application on the mobile computing device based on the message received from the enterprise mobile device management server identifying the certificate management system application on the mobile computing device.

9. The method of claim 1 , further comprising: storing, by the mobile computing device, using the certificate management system application, at least one derived credential of the one or more derived credentials after an enrollment process is completed.

10. The method of claim 1 , wherein the enrollment application and the certificate management system application are digitally signed with an identical development signing certificate.

11. The method of claim 10 , further comprising: retrieving, by the mobile computing device, using one or more applications on the mobile computing device that are digitally signed with the same development signing certificate as the enrollment application and the certificate management system application, at least one derived credential of the one or more derived credentials from the shared vault; and using, by the mobile computing device the at least one derived credential of the one or more derived credentials retrieved from the shared vault to provide functionality in the one or more applications on the mobile computing device or to access enterprise resources with the one or more applications on the mobile computing device.

12. The method of claim 1 , further comprising: retrieving, by the mobile computing device, using the enrollment application, a first derived credential and a second derived credential from the shared vault; providing, by the mobile computing device, using the enrollment application, the first derived credential to the enterprise mobile device management server to complete mobile device management enrollment; and providing, by the mobile computing device, using the enrollment application, the second derived credential to the enterprise mobile device management server to complete mobile application management enrollment.

13. The method of claim 1 , wherein the mobile computing device is provisioned by the enterprise mobile device management server with policies and applications after an enrollment process is completed.

14. The method of claim 1 , further comprising: prior to requesting the one or more derived credentials from the certificate management system server: authenticating, by the mobile computing device, using the certificate management system application, with the certificate management system server using the certificate management system application.

15. The method of claim 14 , wherein authenticating with the certificate management system server comprises prompting a user of the mobile computing device to provide data for identification and authentication purposes.

16. The method of claim 1 , wherein switching to the certificate management system application on the mobile computing device comprises: launching an application store on the mobile computing device; and prompting a user of the mobile computing device to install the certificate management system application, if or when the certificate management system application is not installed on the mobile computing device.

17. A system, comprising: at least one processor; and at least one memory storing computer executable instructions that, when executed by the at least one processor, cause the system to: receive a command to enroll with an enterprise mobile device management server; in response to receiving the command to enroll with the enterprise mobile device management server, launch an enrollment application; request, using the enrollment application, configuration information for the enterprise mobile device management server from an automatic discovery service; after requesting the configuration information for the enterprise mobile device management server from the automatic discovery service, receiving a message comprising the configuration information for the enterprise mobile device management server from the automatic discovery service; send, using the enrollment application, an enrollment request message to the enterprise mobile device management server, wherein the enrollment request message comprises the configuration information for the enterprise mobile device management server received from the automatic discovery service; switch from the enrollment application to a certificate management system application; request, using the certificate management system application, one or more derived credentials from a certificate management system server; store, using the certificate management system application, the one or more derived credentials in a shared vault; switch from the certificate management system application to the enrollment application; retrieve, using the enrollment application, a derived credential of the one or more derived credentials stored in the shared vault; and provide, using the enrollment application, the derived credential of the one or more derived credentials retrieved using the enrollment application to the enterprise mobile device management server to enroll with at least one mobile device management service provided by the enterprise mobile device management server.

18. One or more non-transitory computer-readable medium storing computer-executable instructions that, when executed by a computer system comprising at least one processor, and least one memory, cause the computer system to perform a method comprising: receiving a command to enroll with an enterprise mobile device management server; in response to receiving the command to enroll with the enterprise mobile device management server, launching an enrollment application; requesting, using the enrollment application, configuration information for the enterprise mobile device management server from an automatic discovery service; after requesting the configuration information for the enterprise mobile device management server from the automatic discovery service, receiving a message comprising the configuration information for the enterprise mobile device management server from the automatic discovery service; sending, using the enrollment application, an enrollment request message to the enterprise mobile device management server, wherein the enrollment request message comprises the configuration information for the enterprise mobile device management server received from the automatic discovery service; switching from the enrollment application to a certificate management system application; requesting, using the certificate management system application, one or more derived credentials from a certificate management system server; storing, using the certificate management system application, the one or more derived credentials in a shared vault; switching from the certificate management system application to the enrollment application; retrieving, using the enrollment application, a derived credential of the one or more derived credentials stored in the shared vault; and providing, using the enrollment application, the derived credential of the one or more derived credentials retrieved using the enrollment application to the enterprise mobile device management server to enroll with at least one mobile device management service provided by the enterprise mobile device management server.